The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Am 16.02.2017 um 12:43 schrieb Jose Manuel Macias Luna:
> 
> Hi,
> 
>   I'm not sure about this, but surely Tomasz, Alan or Stefan can give an
> appropriate answer.
> 
> One of our institutions is using a wildcard certificate for their radius
> server (with CN *.someidp.tld), and that's what they have configured in
> eduroam CAT admin interface. This institution in particular is having
> problems with installers for win8 and win10, and the only thing
> suspicious I see in their profile is the wildcard certificate.
> 
> I have been having a look to the admin guide and says nothing about this
> particular case:
> 
> «The name of your server as specified in the Common Name (CN) of your
> EAP server certificate»
> 
> https://wiki.geant.org/display/H2eduroam/A+guide+to+eduroam+CAT+for+institution+administrators#AguidetoeduroamCATforinstitutionadministrators-Institution-wideSettings
> 
> I do have found some text (I think from Stefan?) in the "EAP Server
> Certificate Considerations" article:
> 
> server name   not a wildcard name (e.g "*.someidp.tld")       Some 
> supplicants
> exhibit undefined/buggy behaviour when attempting to parse incoming
> certificates with a wildcard. Windows 8 and 8.1 are known to choke on
> wildcard certificates.
> 
> https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations
> 
> So my question is... is this accepted by all the clients configured by
> CAT, or would some of them only admit somename.someidp.tld?
> 
> If so, I think we should maybe issue a warning at the CAT web interface
> for admins, and/or update the admin guide to reflect this.

Well the web page you linked to stated that you should expect problems
with Win 8.1; so that's a warning right there.

Also, the CAT realm reachability tests should have warned your admin
about exactly this. The string in question which he should have seen is:


"The certificate contained a CN or subjectAltName:DNS which contains a
wildcard ('*'). This can be problematic on some supplicants. If the
certificate also contains names which are wildcardless, and you only use
those for your supplicant configuration, then you can safely ignore this
notice."


I.e. something like:

CN=pegasus.fleet
sAN:DNS=pegasus.fleet, galactica.fleet, *.fleet

and a CAT config which pins Server Name = pegasus.fleet does not create
an issue with supplicants, because the configured name is in both the CN
and a sAN; the extraneous existence of *.fleet does not matter.

(if you'd configured CAT Server Name = galactica.fleet then you'd create
a different issue because that name is only in sAN:DNS but not in CN ->
see the other recommendations on the EAP server considerations page)

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature